multicore, wcet and iec-61508 certification of fail-safe ... · 3rdeuropean congress embedded real...

© COPYRIGHT IKERLAN 2015

Multicore, WCET and IEC-61508 certification of fail-safe mixed-

criticality systems

WCET WorkshopLund (7th July)

Jon [email protected]

mailto:[email protected]


Outline

2

Context

Multicore is what you need / what you will have

The need and opportunity

Wind turbine and railway case studies

Conclusions and lessons learnt

© COPYRIGHT IKERLAN 2015 3

01Context


Some Research Projects: Multicore & mixed-criticality

4


Keynote in a nutshell

5

Technology Push Product H2020Market Pull

http://www.google.es/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0CAcQjRw&url=http://www.energias-renovables.com/articulo/de-como-reutilizar-una-bateria-de-coche-20130912&ei=4hCIVaqtC4PX7QbJjrC4Aw&bvm=bv.96339352,d.bGQ&psig=AFQjCNFEf1JeJBkjQjRaIWeuUZbcOK87yA&ust=1435066957162054


Off-shore Wind Turbine

◊ A modern off-shore wind turbine dependable control system manages [1,2]:

• I/Os: up to three thousand inputs / outputs.

• Function & Nodes: several hundreds of functions distributed over severalhundred of nodes.

• Distributed: grouped into eight subsystems interconnected with a fieldbus.

• Software: several hundred thousand lines of code.

[1] Perez, J., et al. (2014). A safety concept for a wind power mixed-criticality embedded system based on multicore partitioning. Functional Safety in Industry Application, 11th International TÜV Rheinland Symposium, Cologne, Germany.

[2] Perez, J., et al. (2014). "A safety certification strategy for IEC-61508 compliant industrial mixed-criticality systems based on multicore partitioning." Euromicro DSD/SEAA Verona, Italy.

Source: www.alstom.com

6

http://www.alstom.com/


Automotive

◊ Automotive domain:

• The software component in high-end cars currently totals around 20 millionlines of code, deployed on as many as 70 ECUs [1].

• Automotive electronics accounts for some 30 % of overall production costsand is rising steadily [1].

• A premium car implements about 270 functions that a user interacts with,deployed over 67 independent embedded platforms, amounting to about 65megabytes of binary code [2].

[1] Darren Buttle, ETAS GmbH, Germany, Real-Time in the Prime-Time, ECRTS (KEYNOTE TALK), 2012.

[2] Christian Salzmann and Thomas Stauner. Automotive software engineering. In Languages for System Specification, pages 333–347. Springer US, 2004.

[3] Leohold, J. Communication Requirements for Automotive Systems. 5thIEEE Workshop on Factory Communication Systems (WCFS). Wien, 2004.

[4] National Instruments, How engineers are reinventing the automobile,, http://www.ni.com/newsletter/51684/en/ , 2013.

[3] [4]

7

http://www.ni.com/newsletter/51684/en/


Railway

8

[1] The European Rail Research Advisory Council (ERRAC), Joint Strategy for European Rail Research 2020.

[2] Kirrmann, H. and P. A. Zuber (2001). "The IEC/IEEE Train Communication Network." IEEE Micro vol. 21, no. 2: 81-92.

[3] F. Corbier, et al, How Train Transportation Design Challenges can be addressed with Simulation-based Virtual Prototyping for Distributed Systems, 3rdEuropean congress Embedded Real Time Software (ERTS), France, 2006.

◊ (On-board) railway domain:

• The ever increasing request for safety, better performance, energy efficient,environmentally friendly and cost reduction in modern railway trains have forced theintroduction of sophisticated dependable embedded systems [1].

• The number of ECUs (Electric Control Units) within a train system is of the order of a fewhundred [2,3].

• Groups of distributed embedded systems:

‐ Train Control Unit.

‐ Railway Signalling (e.g. ETCS).

‐ Traction Control.

‐ Brake Control.

‐ Etc.


02Multicore is what you need...

Multicore is what you will have...


Multicore & Mobile

10

Source: www.arm.com

http://www.arm.com/


Multicore & Automotive

11

Source: www.freescale.com

http://www.freescale.com/


Generic purpose multicore

12

Source: www.xilinx.com

http://www.xilinx.com/


Safety certification (IEC-61508)

◊ IEC-61508: Functional safety of electrical / electronic / programmable electronicsafety-related systems.

13

IEC-61508

IEC-61511

Process oil and gasRailway

EN-50126

EN-50128 EN-50129

Elevator

EN 81-1/prA2

Automotive

ISO 26262

…Machinery

ISO 13849


IEC-61508 safety standard & WCET

14

IEC-61508 ISO-26262

(7.4.2.2) The design method chosen shall possess features that facilitate the expression of: *…+ (4) timing constraints

(7.4.5) The software architectural design shall describe dynamic design aspects of the software components, including: [...] the temporal constraints

(7.4.17) An upper estimation of required resources for the embedded software shall be made, including: (a) the execution time;

(IEC-61508-3 Annex F) Non-interference between software elements on a single computer: F.5: cyclic scheduling algorithm which gives each element a defined time slice supported by worst case execution time analysis of each element to demonstrate statically that the timing requirements for each element are met

(Annex D) Freedom from interference between software elementsD2.2: With respect to timing constraints the effects of faults such as [...] incorrect allocation of execution time shall be considered and mechanisms such as cyclic execution scheduling can be considered.


Threats to be considered and managed

15

http://www.google.es/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0CAcQjRw&url=http://www.livetradingnews.com/internet-tech-threats-pushing-cios-to-the-front-office-63303.htm&ei=gA6IVafnG-b67AaE94DgCw&bvm=bv.96339352,d.bGQ&psig=AFQjCNHfmJm2NPMAI8aCtWP7cPQCIZW4iQ&ust=1435066341407685



◊ Worst Case Execution Time (WCET)

16

Source: www.freescale.com, www.xilinx.com





03The need and opportunity

http://www.google.es/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0CAcQjRw&url=http://theleadershipcontract.com/gut-check-can-you-make-the-time-to-just-think/&ei=rQ6IVdOlH7DQ7AaKj47QCA&bvm=bv.96339352,d.bGQ&psig=AFQjCNHakUDKc9uguqSLZ-qABruAI6AkgQ&ust=1435066410660036


Time to think.....

18

Common Understanding

Complexity Management

Product Context

Safety Certification

Context

Product Life Cycle and Variability


03-ACommon understanding

“What then is time? If nobody asks me, I know what time is, but if I am asked then I am at a loss

what to say” (St. Augustine )


Basic Concepts / Different Terms

Safety

Safety Critical

Mission Critical

Temporal isolation

Modular certification (?)

Scheduling:

Vestas model

Etc.

Functional Safety

Fail safe / Fail operational

High demand / Low demand

Temporal independence

Compliant Item

Scheduling (IEC-61508-3):

Deterministic scheduling methods

• Time Triggered Architecture

• Cyclic scheduling

Etc.

20

Research



◊ Temporal & Spatial independence, e.g., Shared resources (e.g., memory, cache,bus, interrupts) [1]

21

[1] Kotaba, O., et al. (2013). Multicore In Real-Time Systems – Temporal Isolation Challenges Due To Shared Resources. Workshop on Industry-Driven Approaches for Cost-effective Certification of Safety-Critical, Mixed-Criticality Systems (WICERT). Dresden (Germany).

ps ns msec second

Which is the time-scale of the temporal interference?






03-BComplexity Management

“Simplicity does not precede complexity, but follows it.” (Alan Perlis)

“Fools ignore complexity. Pragmatists suffer it. Some can avoid it. Geniuses remove it.” (Alan Perlis)



◊ Complex (new) hardware components, e.g., Core interconnect fabric

◊ Lack of detailed documentation

23


[1] http://www.advancedsubstratenews.com/2009/12/multicores-perfect-balance/






◊ Interference among safety related and non safety related functions, e.g.

• Safe configuration.

• Safe startup and boot.

• Safe shutdown.

• Exclusive access to peripherals.

• Resource virtualization.

◊ Diagnosis

24






Complexity management

25


Complexity management

◊ Complexity: “the degree to which a system or component has a design orimplementation that is difficult to understand and verify”

◊ Cognitive complexity and number four:

• Human cognitive capabilities and four simultaneous relationships [1, 2]

• Working memory capacity for up to four simultaneous chunks of information [3]

• Quaternary relations are the most complex we can handle [1, 2]

• Human working memory capacity limited also to about four chunks of information [3]

◊ Complexity Management [4]: abstraction, partition and segmentation

26

[1] Bernhard Rumpler et al. Considerations on the complexity of embedded real-time system design tasks. In IEEE International Conference on Computational Cybernetics (ICCC), Tallinn, Estonia, 2006..

[2] Graeme S. Halford et al. How many variables can humans process? Psychological Science, 16(1):70–76, 2005.

[3] Nelson Cowan. The magical number 4 in short-term memory: a reconsideration of mental storage capacity. Behavioral and Brain Sciences, 24(1):87–114, 2001.

[4] H. Kopetz. The complexity challenge in embedded system design. In 11th IEEE International Symposium on Object Oriented Real-Time Distributed Computing (ISORC), pages 3–12, 2008.

Simplicity does not precede complexity, but follows it.

(Alan Perlis)

Fools ignore complexity. Pragmatists suffer it. Some can

avoid it. Geniuses remove it. (Alan Perlis)

http://www.google.es/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0CAcQjRw&url=http://www.wired.com/2014/07/everything-you-need-to-know-about-the-10-brain-myth-explained-in-60-seconds/&ei=y4qaVaDBN6KV7Aaf96OgAw&bvm=bv.96952980,d.bGQ&psig=AFQjCNGscpJunKRRMwWbQmzHb4WcELNeQA&ust=1436277834168101


03-CProduct Context

“However beautiful the strategy, you should occasionally look at the results.” (Sir Winston Churchill)


Understand the context..... Product

28



29

Source: www.xilinx.com, www.alstom.com





30

[1] Upwind – Design limits and solutions for very large wind turbines, March 2011



31

Mechanical Engineering

Electrical & Power Electronics Engineering

Control Engineering

Maintenance

Production

Installation, commission, etc.

Embedded Systems

€ & time

Source: http://www.space.com/5448-images-milky-loses-arms.html

http://www.space.com/5448-images-milky-loses-arms.html










03-DSafety certification context

“For me context is the key - from that comes the understanding of everything.” (Kenneth Noland)


Understand the context... Safety Standard

33

ANALYSIS

PLANNING REALIZATION

INSTALLATION & VALIDATION

OPERATION


Understand the context... Safety Standard

34

SYSTEM

[HW]

[SW]


03-EProduct Life Cycle & Variability

“The ability to ask the right question is more than half the battle of finding the answer.” (Thomas J. Watson)


Product vs. Part life cycle curves

36

[|] Pecht, M. G. and D. Das (2000). "Electronic part life cycle." Components and Packaging Technologies, IEEE Transactions on 23(1): 190-192.

Part life cycle curves [1]5 years 40 years


Variability of embedded processor features

◊ Manufacturer

◊ Core Family

• ARM

• X86

• PowerPC

◊ Number of cores

◊ Timers

◊ Memory, e.g.,

• Cache (hierarchy, size,

type)

• RAM Memory (hierarchy,

size, type)

• ROM Memory (e.g., Flash)

• External memory support

(e.g. DDR3)

37

◊ Buses, e.g.,

• Internal bus (hierarchy,

type, width)

• External bus interfaces

(e.g. PCIe)

• Communication buses

(e.g. CAN, Ethernet,

I2C, I2S, SPI, USB)

• DMA

◊ I/Os, e.g.,

• GPIOs

• ADCs (type, resolution,

number of channels)

• PWM

◊ Safety compliance

◊ Target Application

◊ Temperature Range(e.g. Industrial)

◊ Clock Frequency

◊ Supply voltage

◊ Package Type


04Wind turbine and railway case studies

“Nihil est enim simul et inventum et perfectum.” (Nothing is ever invented and perfected at the same time)

(Cicero, Brutus 71)


Off-shore Wind Turbine

◊ A modern off-shore wind turbine dependable control system manages [1,2]:

• I/Os: up to three thousand inputs / outputs.

• Function & Nodes: several hundreds of functions distributed over severalhundred of nodes.

• Distributed: grouped into eight subsystems interconnected with a fieldbus.

• Software: several hundred thousand lines of code.

[1] Perez, J., et al. (2014). A safety concept for a wind power mixed-criticality embedded system based on multicore partitioning. Functional Safety in Industry Application, 11th International TÜV Rheinland Symposium, Cologne, Germany.

[2] Perez, J., et al. (2014). "A safety certification strategy for IEC-61508 compliant industrial mixed-criticality systems based on multicore partitioning." Euromicro DSD/SEAA Verona, Italy.

Source: www.alstom.com

39



x86 + Hypervisor

x86 + Hypervisor

ETHERCAT

Speed Sensor (s)

Safety Relay

WDG

Safety Relay

COM SERVER

HMI

DIAG

Safety Protection

WDGP0

Supervision

Processor

External Shared Memory

External Shared Memory 2

CLK WD_B

CLK

Watchdog Device

L2 C

ach

e

L1 C

ach

eL1

Cac

he

Co

re D

evic

e

CLK WD_A

Watchdog Device

IODevice

IODevice

P0

PC

Ie

SCPU

GW AHB/PCIe

AH

B B

US

Per

iod

ic

Inte

rru

pt

RT Control

LEON3 FT + Hypervisor

LS M

EM

LEON3 FT + Hypervisor

Safety Protection

DIAG

LS M

EM

SAFETY CPU SINGLE PROCESSOR QUAD CORE PARTITIONED – 1oo2

Safety Concept – (B - ‘Multicore partitioning’)

40


◊ Scheduling (IEC-61508-3 Annex E):

• Static cyclic scheduling algorithm.

• Pre-assigned guaranteed time slots defined at design

• Synchronized based on the global notion of time

◊ Measurement Based Timing Analysis (MBTA):

• Acquisition of run-time events using tracing support provided by hypervisor

• Definition and execution of worst case scenarios and error injection

41

Safety Concept – (B - ‘Multicore partitioning’)

[1] Larrucea A. et al, “Temporal Independence Validation for IEC-61508 compliant Mixed-Criticality Systems based on Multicore Partitioning”, Forum on specification & Design Languages (FDL), 2015


Measurements

42

[1] Larrucea A. et al, “Temporal Independence Validation for IEC-61508 compliant Mixed-Criticality Systems based on Multicore Partitioning”, Forum on specification & Design Languages (FDL), 2015


Railway

43

[1] The European Rail Research Advisory Council (ERRAC), Joint Strategy for European Rail Research 2020.

[2] Kirrmann, H. and P. A. Zuber (2001). "The IEC/IEEE Train Communication Network." IEEE Micro vol. 21, no. 2: 81-92.

[3] F. Corbier, et al, How Train Transportation Design Challenges can be addressed with Simulation-based Virtual Prototyping for Distributed Systems, 3rdEuropean congress Embedded Real Time Software (ERTS), France, 2006.

◊ (On-board) railway domain:

• The ever increasing request for safety, better performance, energy efficient,environmentally friendly and cost reduction in modern railway trains have forced theintroduction of sophisticated dependable embedded systems [1].

• The number of ECUs (Electric Control Units) within a train system is of the order of a fewhundred [2,3].

• Groups of distributed embedded systems:

‐ Train Control Unit.

‐ Railway Signalling (e.g. ETCS).

‐ Traction Control.

‐ Brake Control.

‐ Etc.


Safety Concept

44

[1] Agirre, Irune et al, “61508 SIL 3-compliant Pseudo-Random Number Generators for Probabilistic Timing Analysis”, DSD 2015

*2+ Agirre, Irune et al. “A safety concept for a railway mixed-criticality embedded system based on multicore partitioning”, To be published


Railway Case study Experiments:

CICI phase:

VICI phase:

PTA (Probabilistic Timing Analysis)

45

C2: empty/PAK

C0: ETCS

Input vectors

RTBx

Collecttiming inf.

PC

Compute pWCET

FPGA – CICI Phase

C3: empty/PAK

C1: empty/PAKeth

eth

C2: ETCS Service

C0: ETCS Odometry

Input vectors

RTBx

Collecttiming inf.

PC

Compute pWCET

FPGA – VICI Phase

C3: TRACTION

C1: ETCS Emergencyeth

eth


05Conclusions and lessons learnt


Conclusions and lessons learnt

◊ It is feasible to achieve SIL3 IEC-61508 / Pld ISO-13849 / SILX EN-50128 in research ‘casestudies’ with current safety standard versions using:

◊ COTS multicore

◊ Partitioning with hypervisor

◊ WCET estimation based on MBTA and PTA

◊ There is a need and opportunity for WCET, but consider industry & research worlds:

◊ Common understanding (e.g., fail safe, temporal isolation vs. Temporal independence)

◊ Complexity management

◊ Product and safety certification context

◊ Product life-cycle and variability

◊ The same strategy can be extended to different domains with safety standards that useIEC-61508 as reference standard.

√ Wind Turbine, IEC-61508 SIL3 and ISO-13849 Pld.

√ Railway signaling, SIL4 EN-5012X

◊ Working with automotive domain case study ASILC ISO-26262.

47


www.ikerlan.es

IKERLAN - OLANDIXOPº. J. Mª. Arizmendiarrieta, 2

20500 Arrasate-Mondragón

Tel.: 943 71 24 00Fax: 943 79 69 44

IKERLAN - GARAIAPolo de Innovación GaraiaC/ Goiru , 920500 Arrasate-Mondragón

IKERLAN - MIÑANOParque tecnológico de Álava,C/ Juan de la Cierva, 101510 Miñano

IKERLAN - GALARRETAPol. Industrial Galarreta, Parcela 10.5, Edificio A320120 Hernani

multicore, wcet and iec-61508 certification of fail-safe ... · 3rdeuropean congress embedded real...

Documents